lokibot | b7836133ecd9f40f9fdd396ec3cc51992d69b81688b7b3e0de53d20c080d09e7

General

Target

86c27f3cc27b9db588c38356ab608ebf.exe
Size

324KB
MD5

86c27f3cc27b9db588c38356ab608ebf
SHA1

f36937c1b7583b69860a32da95e69b94140d3970
SHA256

b7836133ecd9f40f9fdd396ec3cc51992d69b81688b7b3e0de53d20c080d09e7
SHA512

66a737ffa2e411e7c1583b24ff38f266507f6878e13b73f00510543a4ec0d76501cf797a878859649ad709797c1f0005cc05b62a3294a5f4057a3a8f9c087cf4
SSDEEP

3072:+fY/TU9fE9PEtuMEX2eGeSOCxIvUbEdJd9hCNjZa4UVRgp0t5pgrGhxXFJ3cJhsQ:oYa6mEmmvWGjmMVRgp07NPVJ3esje/

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/cody/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

bvobjwjxcu.exebvobjwjxcu.exe

pid process

1680 bvobjwjxcu.exe
4836 bvobjwjxcu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1680	bvobjwjxcu.exe
4836	bvobjwjxcu.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

bvobjwjxcu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bvobjwjxcu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bvobjwjxcu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	bvobjwjxcu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bvobjwjxcu.exe

description pid process target process

PID 1680 set thread context of 4836 1680 bvobjwjxcu.exe bvobjwjxcu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

bvobjwjxcu.exe

pid process

1680 bvobjwjxcu.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bvobjwjxcu.exe

description pid process

Token: SeDebugPrivilege 4836 bvobjwjxcu.exe

description	pid	process	target process
PID 1680 set thread context of 4836	1680	bvobjwjxcu.exe	bvobjwjxcu.exe

pid	process
1680	bvobjwjxcu.exe

description	pid	process
Token: SeDebugPrivilege	4836	bvobjwjxcu.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

86c27f3cc27b9db588c38356ab608ebf.exebvobjwjxcu.exe

description	pid	process	target process
PID 4460 wrote to memory of 1680	4460	86c27f3cc27b9db588c38356ab608ebf.exe	bvobjwjxcu.exe
PID 4460 wrote to memory of 1680	4460	86c27f3cc27b9db588c38356ab608ebf.exe	bvobjwjxcu.exe
PID 4460 wrote to memory of 1680	4460	86c27f3cc27b9db588c38356ab608ebf.exe	bvobjwjxcu.exe
PID 1680 wrote to memory of 4836	1680	bvobjwjxcu.exe	bvobjwjxcu.exe
PID 1680 wrote to memory of 4836	1680	bvobjwjxcu.exe	bvobjwjxcu.exe
PID 1680 wrote to memory of 4836	1680	bvobjwjxcu.exe	bvobjwjxcu.exe
PID 1680 wrote to memory of 4836	1680	bvobjwjxcu.exe	bvobjwjxcu.exe

outlook_office_path 1 IoCs

Processes:

bvobjwjxcu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bvobjwjxcu.exe

outlook_win_path 1 IoCs

Processes:

bvobjwjxcu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bvobjwjxcu.exe

C:\Users\Admin\AppData\Local\Temp\86c27f3cc27b9db588c38356ab608ebf.exe
"C:\Users\Admin\AppData\Local\Temp\86c27f3cc27b9db588c38356ab608ebf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe
"C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe" C:\Users\Admin\AppData\Local\Temp\wjpbxani.slc
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe
"C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe

Filesize
46KB

MD5
ba5d2d04c9b23f3f4abc19545c787fe1

SHA1
efac6064c7e65030a76de7946ecb1201044a40ac

SHA256
8f06715bf05f394f0058249069f835dd80524b88825f9c7962da3774adce423f

SHA512
c038d3da21f4822a272518334b891ad51dcb1b1e9e240feec8c5f11b5b4c357334bd854bf8e42144c30b074e0a188df07ee3d51535cf94bc657226e251918f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe

Filesize
46KB

MD5
ba5d2d04c9b23f3f4abc19545c787fe1

SHA1
efac6064c7e65030a76de7946ecb1201044a40ac

SHA256
8f06715bf05f394f0058249069f835dd80524b88825f9c7962da3774adce423f

SHA512
c038d3da21f4822a272518334b891ad51dcb1b1e9e240feec8c5f11b5b4c357334bd854bf8e42144c30b074e0a188df07ee3d51535cf94bc657226e251918f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvobjwjxcu.exe

Filesize
46KB

MD5
ba5d2d04c9b23f3f4abc19545c787fe1

SHA1
efac6064c7e65030a76de7946ecb1201044a40ac

SHA256
8f06715bf05f394f0058249069f835dd80524b88825f9c7962da3774adce423f

SHA512
c038d3da21f4822a272518334b891ad51dcb1b1e9e240feec8c5f11b5b4c357334bd854bf8e42144c30b074e0a188df07ee3d51535cf94bc657226e251918f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwffc.rm

Filesize
124KB

MD5
a0ef89639310ce4c97467611bbacccfc

SHA1
dfeec8c2b0d9f290a3eb73f85c01be61c5ad27ce

SHA256
3e339c9dc915f316eb2ea8a25e566277a3220b823d53dbf700e4e4f5f09f1317

SHA512
970552f3b911a7f295d5acf190b62abb083f1df4ce19afdc71ae28a419bc7b23ff161cdafbdaa1e8b1759509d83b6879e81b8ae3d54e17b1ef380be28f4b4d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjpbxani.slc

Filesize
5KB

MD5
a1bfb92f9ec945edebc4d9114d61828b

SHA1
6b7ef4eb9373194d9892cdd55d6d504773c35cff

SHA256
99ba7379ea251956a30cde4bd6bd4aa4936536ec0bc5195d0b0980589800f380

SHA512
1e6d7700339125f69d23c8c0cd21a0cf3ea0baf879870913a8f45247e1d6a9ce49664a55eb40304f3892de751fda5712248af053005755ec3f3d31cb567bcd0d

Download Submit
memory/1680-132-0x0000000000000000-mapping.dmp

Download
memory/4836-137-0x0000000000000000-mapping.dmp

Download
memory/4836-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4836-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads